# This playbook is to be executed when first setting up
# the machine so we'll have to login as root, but in doing so
# we'll setup a user which can use sudo and use pem based authentication
# this should remove the ability to login as root with a janky password
---
- hosts: webhost
  remote_user: root
  tasks:
    - name: Ensure sudo is available
      apt:
        state: present
        update_cache: true
        pkg:
          - sudo
          - zsh
    - name: Create webadmin user
      user:
        name: webadmin
        state: present
        shell: /bin/zsh
        groups:
          - nginx
        append: yes
    - name: webadmin key copy
      authorized_key:
        user: webadmin
        state: present
        key: "{{ lookup('file', '~/.ssh/vultr/webadmin.pem.pub') }}"
    - name: Add webadmin to sudoers
      copy:
        dest: "/etc/sudoers.d/webadmin"
        content: "webadmin ALL=(ALL) NOPASSWD: ALL"
    - name: Disable Password Authentication
      lineinfile:
        dest: /etc/ssh/sshd_config
        line: PasswordAuthentication no
        state: present
        backup: yes
      notify:
        - restart ssh
    - name: Disable root login
      lineinfile:
        dest: /etc/ssh/sshd_config
        line: PermitRootLogin no
        state: present
        backup: yes
      notify:
        - restart ssh
  handlers:
    - name: restart ssh
      service:
        name: sshd
        state: restarted